alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Turla JS/Kopiluwak Sending Information (POST)"; flow:established,to_server; urilen:29; http.method; content:"POST"; http.uri; content:"/uploads/wp-config-themes.php"; fast_pattern; http.header_names; content:!"Referer"; content:!"Cookie"; http.content_len; byte_test:0,>,30000,0,string,dec; reference:md5,2eb6df8795f513c324746646b594c019; reference:md5,d8233448a3400c5677708a8500e3b2a0; reference:url,www.mandiant.com/resources/blog/turla-galaxy-opportunity; classtype:trojan-activity; sid:2043232; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_01_06, deployment Perimeter, malware_family Turla_Kopiluwak, malware_family Turla, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_01_06;)